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What is claimed is: 

1 . Method for performing network surveillance, said method comprising the 
steps of: 

receiving a plurality of network packets handled by a network entity; 

building at least one statistical profile from at least one measure of said 
plurality of network packets; and 

analyzing said at least one statistical profile to detect suspicious network 
activity. 

2. The method of claim 1 , wherein said at least one measure monitors data 
transfers by monitoring network packet data transfer commands. 

3. The method of claim 1 , wherein said at least one measure monitors data 
transfers by monitoring network packet data transfer errors. 

4. The method of claim 1 , wherein said at least one measure monitors data 
transfers by monitoring network packet data transfer volume. 

5. The method of claim 1 , wherein said at least one measure monitors 
network connections by monitoring network connection requests. 

6. The method of claim 1 , wherein said at least one measure monitors 
network connections by monitoring network connection denials. 

7. The method of claim 1 , wherein said at least one measure monitors 
network connections by monitoring a correlation of network connections 
requests and network connection denials. 
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8. The method of claim 1 , wherein said at least one measure monitors 
errors by monitoring at least one error code included in a network packet, 
wherein said at least one error code comprises a privilege error code or an error 
code indicating a reason a packet was rejected. 

9. The method of claim 1 , further comprising the step of: 
responding based on determining whether said at least one statistical 

profile indicates suspicious network activity. 

10. The method of claim 9, wherein said responding step comprises 
transmitting an event record to a network monitor. 

1 1. The method of claim 10, wherein said transmitting the event record to a 
network monitor step comprises transmitting the event record to a hierarchically 
higher network monitor. 

12. The method of claim 1 1 , wherein said transmitting the event record to a 
network monitor step comprises transmitting the event record to a network 
monitor that receives event records from a plurality of network monitors. 

13. The method of claim 12, wherein said network monitor that receives 
event records from said plurality of network monitors comprises a network 
monitor that correlates activity in said plurality of network monitors based on 
said received event records. 

14. The method of claim 9, wherein said responding step comprises altering 
said analysis of said plurality of network packets. 

15. The method of claim 9, wherein said responding step comprises severing 
a communication channel. 
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16. The method of claim 1 , wherein said network entity comprises at least 
one of a gateway, a router, a proxy server, a firewall, and a virtual private 
network (VPN) entity. 

17. The method of claim 1 , wherein said plurality of network packets are 
partitioning into a plurality of sessions representing a communication 
transaction between two hosts. 

18. The method of claim 17, wherein said at least one measure monitors 
network connections by monitoring a source port number and a destination port 
number included in one of said network packets. 

19. A computer-readable medium having stored thereon a plurality of 
instructions, the plurality of instructions including instructions which, when 
executed by a processor, cause the processor to perform the steps comprising 
of: 

receiving a, plurality of network packets handled by a network entity; 

building at least one statistical profile from at least one measure of said 
plurality of network packets; and 

analyzing said at least one statistical profile to detect suspicious network 
activity. 

20. Apparatus for performing network surveillance, said apparatus 
comprising: 

means for receiving a plurality of network packets handled by a network 

entity; 

means for building at least one statistical profile from at least one 
measure of said plurality of network packets; and 

means for analyzing said at least one statistical profile to detect 
suspicious network activity. 



